Bugtraq mailing list archives

Re: undocumented bugs - nfsd

From: okir () MONAD SWB DE (Olaf Kirch)
Date: Wed, 10 Nov 1999 10:54:31 +0100


On Tue, Nov 09, 1999 at 11:39:39AM +0100, Mariusz Marcinkiewicz wrote:

After reading lcamtuf's posts I decided write this one. Few months ago one
of my friends - digit - found bug in linux nfsd daemon. I made example
sploit about IV 1999. Now in distributions is new nfsd and nowhere was
information about security weaknes of old version!


Well, one gets used to people posting to bugtraq without bothering to
send any mail whatsoever to the maintainer of a free software package.
But whining about the bug not having been fixed without even sending
a bug report *anywhere* kind of beats everything I've seen so far.
Am I now supposed to follow alt.support.p30ple.with.sp311ing.pr0blemz?

FWIW, the source distribution of unfsd contains a file called BUGS
which even the attention span challenged have a hard time overlooking.
This file contains fairly detailed instructions on how to submit a
bug report.

Concerning the problem Mariusz has been handwaving about, this is a
serious issue. It's got nothing to do with realpath(), however. The true
cause of the problem is that the code relies on the total length of a
path to not exceed PATH_MAX + NAME_MAX. I'm not sure whether this is a
common Unix problem, but at least on Linux, PATH_MAX merely seems to put
an upper limit on the length of a single path you can hand to a syscall
(size of a page - 1, i.e. 4095). However it still allows you to create
files within that directory as long as you use relative names only...

As to the impact of the problem, it's nasty, but you will need to have
a directory exported read/write to you in order to exploit it (or you're
able to impersonate a host with this kind of access).

Appended you'll find a patch against 2.2beta46 that rectifies this problem.
The full source for 2.2beta47 can be found at
ftp://mathematik.tu-darmstadt.de/pub/linux/people/okir

Another version (2.2.48) that has some additional, non-security related
fixes I have been working on can be found in the dontuse subdirectory.

Olaf

-----BEGIN PGP SIGNED MESSAGE-----

79a29fe9f79b2f3241d4915767b8c511  nfs-server-2.2beta47.tar.gz
c2ef6e37064ca7d9e52de7b711a7ebec  patch-2.2.47.gz

-----BEGIN PGP SIGNATURE-----
iQCVAwUBOClCC+FnVHXv40etAQGRvwP/czA9uZ3EYthdO01h9E98tOmKgJ+rkJ9q
tBQwrs452a+A3xv6t1/V4rT6Q5BTPnzVkxyAIjiXwhSYbUbBS7C/yCqYfi/fzb2i
6lCYqdBxjxE9hX5PuYR983egHNOnA4dTlSgjhP13bSaNKifF1XwD1IYgGuo1ZoGp
eDNa0+cFGG8=
=dHTh
-----END PGP SIGNATURE-----

--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.

<!-- attachment="patch-2.2.47.gz" -->
<HR>
<UL>
<LI>application/octet-stream attachment: patch-2.2.47.gz
</UL>

Current thread:

Security flaw in Cobalt RaQ2 cgiwrap Chris Adams (Nov 08)
- Irfan view 3.07 buffer overflow UNYUN (Nov 08)
- Re: Security flaw in Cobalt RaQ2 cgiwrap Nathan Neulinger (Nov 08)
  - Re: Security flaw in Cobalt RaQ2 cgiwrap Chris Adams (Nov 09)
- undocumented bugs - nfsd Mariusz Marcinkiewicz (Nov 09)
  - Re: undocumented bugs - nfsd Olaf Kirch (Nov 10)
    - rpc.nfsd exploit code Mariusz Marcinkiewicz (Nov 10)
    - Re: rpc.nfsd exploit code Crispin Cowan (Nov 11)
    - WU-FTPD Mnemonix (Nov 11)
    - Re: WU-FTPD hayward () SLOTHMUD ORG (Nov 12)
    - Re: rpc.nfsd exploit code Mariusz Marcinkiewicz (Nov 12)
    - Re: rpc.nfsd exploit code Rogier Wolff (Nov 12)
    - BIND NXT Bug Vulnerability Elias Levy (Nov 10)
    - Re: BIND NXT Bug Vulnerability Richard Trott (Nov 10)
    - Re: BIND NXT Bug Vulnerability Mike Iglesias (Nov 10)
    - [RHSA-1999:053-01] new NFS server pacakges available (5.2, 4.2) Bill Nottingham (Nov 10)

(Thread continues...)